png: update to 1.6.52.
Security fix release.
Version 1.6.52 [December 3, 2025]
Fixed CVE-2025-66293 (high severity):
Out-of-bounds read in `png_image_read_composite`.
(Reported by flyfish101 <flyfish101 at users.noreply.github.com>.)
Fixed the Paeth filter handling in the RISC-V RVV implementation.
(Reported by Filip Wasil; fixed by Liang Junzhao.)
Improved the performance of the RISC-V RVV implementation.
(Contributed by Liang Junzhao.)
Added allocation failure fuzzing to oss-fuzz.
(Contributed by Philippe Antoine.)
Update to version 9.1.1952.
Changes:
- patch 9.1.1952: tests: need better tests for tf files
- runtime(quarto): add missing loaded guard
- runtime(python): Highlight t-strings
- runtime(sml): Update syntax, improve special constant matching
- runtime(hog): set undo_ftplugin correctly, delete trailing whitespace
- patch 9.1.1951: tests: Test_windows_external_cmd_in_cwd() only run in huge builds
- patch 9.1.1950: tests: Test_tagjump.vim leaves swapfiles behind
- patch 9.1.1949: :stag does not use 'swichtbuf' option
- runtime(doc): Update vim9.txt Section 1
- patch 9.1.1948: Windows: Vim adds current directory to search path
- patch 9.1.1947: [security]: Windows: Vim may execute commands from current directory
- patch 9.1.1946: Cannot open the help in the current window
- patch 9.1.1945: tests: Test_getbufwintabinfo() leaves swapfiles behind
- patch 9.1.1944: getwininfo() does not return if statusline is visible
- runtime(doc): clarify the use of v:errormsg
- patch 9.1.1943: Memory leak with :breakadd expr
[754 lines not shown]
doc: move m68ksf support news to NEWS
CHANGES-* is picky about containing exactly the package names.
Such news should be added to doc/NEWS instead.
Noticed via www@ htutils/changes/pkg-changes2html script.
sysutils/broot: update to 1.54.0
- fix crash on rendering B&W images with Kitty image protocol
- don't match directories when a composite pattern has a content pattern, even negated (eg /js$/&!c/;: it's clear the user wants to match js files not containing a semicolon)
py-fsspec: updated to 2025.12.0
2025.12.0
Enhancements
- fsspec.parquet to support filters and multiple files
Fixes
- passing withdirs in aync _glob()
- fix _rm_file/_rm redirection in async
- allow arrowFile to be seekable
- add size attribute to arrowFile
Other
- support py3.14 and drop 3.9
- avoid ruff warning
textproc/typst: update to 0.14.1
PDF export
Fixed regression where links to labelled elements would sometimes not work correctly
Fixed bug where PDF text attributes could be written incorrectly
Fixed crash in link handling
Fixed crash for zero-sized pages
Fixed crash when a table vline or hline has an out-of-bounds index
Fixed crash in formatting of font-related PDF export errors
Fixed crash when a footnote or place element was queried and reinserted into the document
Fixed crash for PNGs with invalid metadata
Fixed bug where text in SVGs with fill-and-stroke paint order could be exported incorrectly
Fixed bug with layer isolation in SVGs where blending/masking is used
Fixed that table headers could be tagged incorrectly in some scenarios
Fixed issues where generated PDFs could differ between 32-bit and 64-bit systems
Upgraded JPEG decoder used during PDF export for improved compatibility, fixing a case where a valid JPEG was rejected
A PDF document information dictionary that would be empty is now fully omitted instead
A rare crash in PDF tagging was turned into a compiler error
[35 lines not shown]
Match on url / codeberg instead of grammar name
Since this is _probably_ a Codeberg thing and makes this more future
proof if more people migrate to Codeberg.
py-geoip2: updated to 5.2.0
5.2.0 (2025-11-20)
* IMPORTANT: Python 3.10 or greater is required. If you are using an older
version, please use an earlier release.
* `maxminddb` has been upgraded to 3.0.0. This includes free-threading
support.
* Setuptools has been replaced with the uv build backend for building the
package.
* A new ``anonymizer`` object has been added to ``geoip2.models.Insights``.
This object is a ``geoip2.records.Anonymizer`` and contains the following
fields: ``confidence``, ``network_last_seen``, ``provider_name``,
``is_anonymous``, ``is_anonymous_vpn``, ``is_hosting_provider``,
``is_public_proxy``, ``is_residential_proxy``, and ``is_tor_exit_node``.
These provide information about VPN and proxy usage.
* A new ``ip_risk_snapshot`` property has been added to
``geoip2.records.Traits``. This is a float ranging from 0.01 to 99 that
represents the risk associated with the IP address. A higher score indicates
[5 lines not shown]
py-maxminddb: updated to 3.0.0
3.0.0 (2025-10-15)
* IMPORTANT: Python 3.10 or greater is required. If you are using an older
version, please use an earlier release.
* Databases can now be loaded from buffers. This can be done by passing in a
buffer as the database and using mode ``MODE_FD``. Pull request by Emanuel
Seemann.
* The C extension now supports Python 3.13+ free-threading mode and is
thread-safe for concurrent reads on platforms with pthread support (such as
Linux and macOS) and Windows. On other platforms, the extension will use
GIL-based protection.
* The C extension now uses PEP 489 multi-phase initialization, enabling
proper subinterpreter support and module isolation for Python 3.12+. This
modernizes the extension to use heap types instead of static types and
implements per-module state management. Key benefits include support for
Python 3.12+ isolated subinterpreters, multiple independent module
instances, and future-proofing for Python 3.14's InterpreterPoolExecutor.
[16 lines not shown]
py-bandit: updated to 1.9.2
1.9.2
* Check whether Constant value is str
* Argparse Python 3.14 enhancements
1.9.1
* More Python version related fixes
1.9.0
* [pre-commit.ci] pre-commit autoupdate
* Drop support of end-of-life Python 3.9
* Support of Python 3.14
* Bump sigstore/cosign-installer from 3.10.0 to 4.0.0
* [pre-commit.ci] pre-commit autoupdate
* Bump docker/login-action from 3.5.0 to 3.6.0
[10 lines not shown]
unbound: updated to 1.24.2
1.24.2
Bug Fixes
Additional fix for CVE-2025-11411 (possible domain hijacking attack), to include YXDOMAIN and non-referral nodata answers in the mitigation as well, reported by TaoFei Guo from Peking University, Yang Luo and JianJun Chen from Tsinghua University.
py-hishel: updated to 1.1.7
1.1.7
Refactoring
* refactor(storage): create sqlite database path only when creating connections
Miscellaneous Tasks
* chore(deps-dev): bump the python-packages group with 5 updates
Bug Fixes
* fix(cache): Lambda parameter name clashes the loop variable being closed over
Documentation
* add release process guidelines for maintainers
Features
* Feature/accept pathlib path in SqliteStorage
zino: update to version 2.3.4.
Pkgsrc changes:
* version-bump + checksums.
Upstream changes:
- Fixed bug where all recent portstate events were incorrectly
considered as transitioning from a flapping state to its actual
state ([#509](https://github.com/Uninett/zino/issues/509))
- Fall back to decoding incoming server protocol messages as
ISO-8859-1 if UTF-8 decoding fails
zino: update to version 2.3.3.
Pkgsrc changes:
* version-bump + checksums.
Upstream changes:
- Added the last remaining missing items to the `zinoconv` state converter:
- Event close times are now converted.
- Flapping state data is now converted.
- Flapping port states are now converted.
- `zinoconv` verbosity about invalid IPv6 addresses in old state
has been reduced
- Use microsecond timestamps in job identifiers where it is likely
that two instances of the same one-shot job may be scheduled within
a single second (to avoid `ConflictingError` exceptions observed
in logs)
py-sphinxcontrib-spelling: updated to 8.0.2
8.0.2
Switch to hatch
build(deps): bump actions/checkout from 4 to 5
feat: explicitly add python 3.13 support
feat: add automatically generated documentation for key modules
build(deps): bump actions/setup-python from 5 to 6
build(deps): bump actions/checkout from 5 to 6
fix: handle TypeError when source is None in Sphinx 8.2